Posted on

Secure Your WordPress (WP Security in a Nutshell)

WordPress Security

As with everything in life, being secure comes down to being cautious, reasonable and thinking logically. Security is a serious business and security and WordPress is always a big issue.

Although development team is quick to release security patches and updates, the same cannot be said about WordPress themes and plugins made by independent developers.

WordPress best practices keep WordPress websites secure.

There are lots of WordPress security plugins, but it’s not enough to just leave it to some 3rd party plugin to take care of your business. It’s up to you to keep WordPress safe and get all angles covered.

1. Choose Wisely and Update Regularly

WordPress updates don’t always bring just cool new features and options, but patch security vulnerabilities and fix bugs.

When installing themes and plugins, make sure they’re being updated regularly and that the author is responding to support questions. Often a premium WordPress product gets you a premium service, as well. Whatever you choose, see whether it’s a product made with best practices in mind and this will ensure there are no compatibility or security issues.

Always use trusted sources and for free stuff this means the official WordPress theme or plugin repositories. If you want to use commercial themes or plugins, do your research and get informed on quality of the author.

2. Don’t Go With the Defaults

This one’s a tip from our developer Slobodan: is a large knowledge base, so whenever you have doubts about anything WordPress, try to find your answers there first. There’s a whole section on security and I would like to point out security through obscurity part:

  1. Don’t ever use the default administrator username – “admin”
  2. Default WordPress database prefix is – “wp_” and by changing this prefix you’ll repel some SQL injection attacks

3. Backup Your WordPress

Backups keep you safe not only from server failures and incompatible software updates, but also from hackers. For WordPress backup I think you should try BackWPup, free WordPress plugin.

I’ve written a review of the backup plugin and I suggest you take a look at it. You’ll have it set and configured on your websites in no-time.

4. Reduce Credentials

WordPress Credentials
People need only credentials that are enough for them to do their job. It basically means you should practice proper management and use of roles and capabilities. Nobody who’s only writing articles or editing posts needs administrative rights.

Your admin account should only be used when you’re performing administrative tasks, updating your WordPress installation, installing or deinstalling themes and plugins or for other major changes.

5. Use Strong Passwords

This one is simple. Use long pass-phrases, special characters and numbers for every single password. Don’t use same passwords for different accounts.

You can always use password management applications, like 1Password or cloud-based LastPass which can also create strong passwords for you.

6. Security Plugins

There are several security plugins for WordPress, but only two worth mentioning. They are:

Most plugins give a false sense of security, but these two will get you covered for just about any eventuality. You should’t think twice when enabling “limit login attempts feature” and for everything else there’s an explanation in the documentation. You can also try hardening WordPress security through .htaccess configuration file.


WordPress is growing at an unimaginable rate and so is the number of malicious WordPress attacks. Use and install only those products which are absolutely necessary to run your website. This applies to both themes and plugins. The more stuff you add the more stuff you need to maintain. If you need

Themes that have lots of features have a lot more stuff that can break and are generally more susceptible to hacker attack. Free things are not always good. Take a look at this post about Why You Should Never Search For Free Premium WordPress Themes.

If you’re maintaining and updating WordPress regularly, limiting credentials, using strong passwords and scheduled backups, you’re pretty much protected from anything malicious out there.

If you suspect you’ve been under attack or infected, try this free website malware scanner by Sucuri. These guys specialize in website security and offer professional service in maintaining and disinfecting websites.

If you have any more recommendations, share it with us in the comments section below. One can never be too secure.

Free Marketing Updates
Get the best marketing practices in your inbox.
We always respect your privacy.

Dragan Nikolic
I am a co-founder and editor at ThematoSoup, sharing marketing best practices, tips on how to simplify your online business and make it more manageable.
Dragan Nikolic
Hey @tj_reinhart do you accept new affiliate partners on Sumo? - 5 months ago
Dragan Nikolic

5 comments Secure Your WordPress (WP Security in a Nutshell)

  1. These are some good basic points, but there is a lot more someone that is familiar with software security can do. One of the biggest issues is sloppy coding in plugins. People will actually “code their own” functions instead of using base WordPress classes that do the same thing.

    Its such a huge issue I am actually starting a business around it. (shameless plug)

    1. No shame in it, your business will be useful to many WordPress publishers.

      What we focus on here at out blog is mostly tips for non-developers who don’t understand code, but if they want to make sure their plugins’ code is top notch, I’m sure they’d find a service that warns them about bad code very useful.

      1. Thanks Slobodan. You guys do a great job. I am following it now. The articles are really well written. I take it you are consultants even though I dont see a big “hire me” button. Shoot me an email at the address on this post Id be interested in rates and maybe some of the things you have done in the past.

  2. I can totally agree with the following statement by Dragan: “WordPress is growing at an unimaginable rate and so is the number of malicious WordPress attacks.”

    The blogosphere grows – The hacking increases! While these tips are basically just the tip of the iceberg – there are many, many more things one can do to decrease the possibility in having his/her WordPress site or blog exploited or fall victim to malicious attack.

    New bloggers have a tendency to overlook or “forget” many small things when starting a new blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.